Top Security Expert Warns Firewalls Don't Work #RSAC

SAN FRANCISCO —In a keynote address before the RSA Conference today that harkened back to the headstrong days of the 1980s, when defiant academics demonstrated encryption using floppy diskettes, RSA President Amit Yoran threw down the gauntlet.

Setting a keynote theme, “You Are How You Behave,” Yoran advanced the ongoing discussion of security and protection technology by admitting, from the very first moments, that the technology itself is too weak.

“The general-purpose computing paradigms that we operate under cannot be secured,” he said. “A collection of incredibly complex, interconnected systems — our digital environments are at their core. They are not deterministic.

“And with the emergence of the (Internet of Things) IoT, our challenges are only going to get exponentially worse. Yet we continue to push all of our communications, collaboration and commerce online, pretending that preventative technologies like antivirus, malware sandboxing, firewalls and even next-generation firewalls will keep us safe, when we know that they won’t.

“Intellectually, we get it. But that’s not translating into changed behavior fast enough.”

No Magic

As a technology conference launched originally by cryptographers, one of the regular themes of RSA has always been that prevention is ineffective as a strategy in itself. Yoran repeated that message today, but he radically amped it up, leaving almost no one unskewered.

Even Yoran’s forthcoming boss, Michael Dell, was the recipient of the end of Yoran’s jabs.

He told a story about how Dell advised Yoran how he could improve his message to attendees in 2014 by tying it more directly to products. Then he mock-sheepishly pleaded with his audience to purchase one or more devices like an RSA-branded SecureID keyfob.

But then the RSA president made good use of that little joke to make the broader point that security is no longer a product but a process.

“There is no actual magic that will save us,” he stated, stalking the stage in tattered blue jeans, and a black polo shirt that looked, from the front row, like it was carrying a few food crumbs with it.

Google got skewered for its demonstration of artificial intelligence, showing how its cloud-based algorithms could defeat grand masters at the game of Go, and then suggesting that such algorithms could be put to use protecting networks.

Yoran said that Go was a game with rules that have stayed the same for thousands of years, while the rules of software-defined networks may have abided by thousands of sets of rules over just the past three years.

“Games like Go take place in a finite universe,” Yoran said with a hint of sadness, sounding at times as though he were eulogizing a more hopeful era.

“They have an extremely well-defined set of boundaries: the rules of the game. Most critically, all players — human and machine — must follow the constant, well-defined set of unchanging rules. And that is pretty much the same case for all successful applications of A.I. Knowable, static rules that can be modeled for sufficient lengths of time, with everyone playing by the same rules.

“Our opponents aren’t playing the same game, and they surely aren’t following the same rules,” he said, pausing for effect. “In fact, our opponents don’t have rules.”

Dancing Around the Elephant

Notably, Yoran avoided uttering the word “Apple,” even leaving out the San Bernadino incident from his rundown of recent security events. It was a strange omission, although there were some points when Yoran appeared to struggle with that omission, as if it wasn’t his idea.

(Apple did come up later in the morning, during the Microsoft keynote with chief legal officer Brad Smith.)

But without naming names, he did make the unusual point that terrorists may be too smart to rely upon smartphone encryption as a means to secure their communications. Only petty criminals, he said, would be amateurish enough to rely upon encryption.

By extension, he said, a government’s interest in obtaining a back door through smartphone encryption is more an effort to gain information on petty crimes, not international terrorism.

If Yoran withdrew his verbal sword for the FBI, he wielded it with abandon toward the end of his speech, calling out President Obama for continuing to include digital surveillance tools as part of an international pact called the Wassenaar Agreement — placing security tools on a list of specially controlled exports. On Tuesday, the Administration announced its intent to renegotiate some sections of that agreement.

Yoran called that inclusion, “to put it charitably, absurd. It is conceivable that offensive tools and exploit kits warrant some restriction.

"And while monitoring platforms might be perverted or used for bad purposes, the answer cannot be to deny their efficient use to organizations trying to defend themselves. The misguided current interpretation penalizes every company trying to monitor their global digital infrastructure against cyber threats, and it doesn’t practically solve any problems.”

The reputation this conference has for speaking from the heart and pulling no punches continues. We'll have more from #RSAC as the week progresses.

CMSWire is a leading, native digital publication produced by Simpler Media Group, Inc. We provide articles, research and events for sophisticated professionals driving digital customer experience strategy, evolving the digital workplace and creating intelligent information management practices. The CMSWire team produces 450+ authoritative articles per quarter for our 750,000 community members. Join us as a subscriber.